Forefront Security for Office Communications Server Release Notes


Applies to: Forefront Security for Office Communications Server

Microsoft Forefront Security for Office Communications Server, Version SYBARI_PRODUCT_MAJOR.


Thank you for using Microsoft Forefront Security for Office Communications Server, antivirus protection for Microsoft Office Communications Server. This Readme file contains important information regarding the current version of the product. It is highly recommended that you read the entire document.

To view the latest updated Readme.htm, check:

What's in this file


Important Notes

Known Issues


The EICAR Antivirus Test File


Minimum Server Requirements:

  • The minimum server requirements for FSOCS RU4 or higher are the same as the corresponding OCS 2007, OCS 2007 R2, or Lync 2010 minimum requirements on which FSOCS is installed. At the time of this writing they are the following:
    • Requirements for Lync 2010: (64 bit only) Windows Server 2008 R2, Windows Server 2008 SP2
    • Requirements for OCS 2007 R2: (64 bit only) Windows Server 2008, Windows Server 2003 R2 SP2, Windows Server 2003 SP2
    • Requirements for OCS 2007: Windows Server 2003 SP1 or higher
  • Microsoft Office Communications Server Standard Edition or Enterprise Edition with one of the following server roles configured: Front End, Access Edge, Director.
  • 1 gigabyte (GB) of free memory, in addition to that required to run OCS (2 GB recommended). NOTE: with each additional scan engine used, more memory is needed for each scanning process.
  • 2 GB of available disk space. This is in addition to the disk space required for Microsoft OCS.
  • Intel processor (1 GHz)

Minimum Workstation Requirements:

  • Windows Server 2003, Windows 2000 Professional, Windows XP, or Windows Vista
  • .NET 2.0 is required for an Administrator-only installation
  • 6 MB of available memory
  • 10 MB of available disk space

Important Notes

  1. After a fresh installation, new signature files must be downloaded to ensure the most up-to-date protection. An hourly scanner update for each licensed engine is scheduled. These updates will start 5 minutes after Forefront Security for Office Communications Server services are started.


    You should successfully update at least one engine before the installation is considered complete.
    Until all the licensed engines have been successfully downloaded, errors may appear in the ProgramLog.txt file. These errors include "ERROR: Could not create mapper object".

  2. The standard Forefront Security for Office Communications Server license includes several antivirus scan engines. During a fresh installation, all are selected for scanning; the Forefront Server Security Administrator can subsequently be used to change the engine selection.

  3. To enable the Forefront Server Security Administrator to connect to a remote Forefront server, the "Anonymous Logon" group must be granted remote access permission. To make this change, run 'dcomcnfg'. Expand Component Services, right click My Computer, and then select Properties. On the COM Security tab, click Edit Limits and add remote access to the "Anonymous Logon" user.
    On WinXP SP2, an additional setting change must be made to allow the Forefront Server Security Administrator application. Open Control Panel, and then open 'Security Center'. Click Windows Firewall, and on the Exceptions tab, click 'Add Program'. Select Forefront Server Security Administrator from the list, and then click OK to return to the Exceptions tab. Select the checkbox for Forefront Server Security Administrator, and then click 'Add port'. Give the port a name, enter '135' for the port number, and select TCP. Click OK twice.
    If there is concern about opening port 135 to all computers, it can be opened for only the Forefront Server servers. When adding port 135, click 'Change Scope' and select 'Custom List'. Type in the IP addresses of all Forefront Server servers you want to connect to.

  4. Forefront Security for Office Communications Server is able to scan the first part of a multi-part RAR file. Any other part of a multi-part RAR will be treated as CorruptedCompressed, and be treated according to the "Delete Corrupted Compressed Files" setting.

  5. To prevent Forefront from requiring a reboot during an upgrade or uninstall, shut down the MOM agent (or any other monitoring software) and make sure that any command prompts or Explorer windows do not have the Forefront installation folder or any of the subfolders open. After the upgrade or uninstall is complete, start the MOM agent again.

  6. Microsoft Forefront Security for Office Communications Server does not support customers using their own procedure to download engine updates from the Microsoft web sites. Forefront provides the ability for a server to be used as a redistribution server, but this server must use Forefront to get the updates from Microsoft.

  7. Forefront Security for Office Communications Server database path names (DatabasePath registry key) have a maximum size of 216 characters.

  8. If you change the install path, its name must be less than 170 characters.

  9. Localized database path names (in the DatabasePath registry key) are not supported.

  10. UNC paths specified for engine updates must not end with a backslash ("\").

  11. Importing filter lists from a UTF-8 formatted file is not supported.

  12. Keyword filtering analyzes the contents of Excel files, as well as the Text, HTML, Word, and PowerPoint types shown in the Forefront Server Security Administrator.

  13. Single node management of Forefront Security for Office Communications Server is available via the Forefront Server Security Administrator. Multi-server management of Forefront Server Security through the Microsoft Forefront Security Management Console is not available.

  14. In order to provide a consistent User Experience in the Microsoft Forefront Server Security Administrator Client, the servers involved should be configured with uniform locale settings. Specifically, the System Locale settings of the computer where the server is being run should match the User Locale settings of the computer where the client is being run. If these two locales do not match, date and time information will be presented in a combination of formats that may be confusing.

  15. You can move the Quarantine and Incidents databases. However, for FSOCS to function properly, you must move both databases, and all related databases and support files. For more information, see "Moving the databases" in the "Reporting and statistics" chapter of the "Forefront Security for Office Communications Server User Guide".

  16. In order to allow external users to make and receive file transfers, follow these steps:

    1. Navigate to the FSOCS installation directory.
    2. Run the NetworkInterfaceSelector.exe tool.
    3. Use the Internal interface and External interface drop-down lists to specify the internal and external network interfaces. Select the appropriate interface for each, then click Apply.
    4. Close the program. The settings take effect immediately.
  17. The notification account should not be used to log in via communicator. This account should be treated as an administrative service account only. Messages that are sent to and from this account are bypassed by the FSOCS scan engines.

  18. Product Integration: OCS 2007, OCS 2007 R2, and Lync 2010 allow applications to register and integrate with the SIP messaging stream in RTC Server. Forefront for OCS integrates into all three platforms in this way.
    Forefront registers itself as a critical application which ensures that OCS and Lync will not be allowed to start if Forefront fails to start for any reason.
    Forefront provides the capability to temporarily disable filtering and scanning through its administrative console under general options. Disabling Forefront in this way will allow all messages and files to go through un-scanned. When Forefront services are recycled, the product will unregister itself and no longer appear in areas such as the Lync Server Control Panel. Forefront can be re-enabled through the administrative console followed by recycling services after which Forefront will re-appear within the OCS / Lync platform.

  19. Message Scanning and Filtering: Forefront is able to scan and filter message bodies sent between two or more participants. All messages pass through the server where Forefront is installed.

  20. File Transfer Scanning and Filtering Limitations:
    Lync 2010 clients are capable of performing peer-to-peer as well as group file transfers. Forefront is able to scan and filter file transfers only when two participants are involved. When three or more participants are involved in the conversation, file transfers are exchanged using a conferencing role that Forefront does not protect. In this scenario, files are not scanned or filtered by Forefront.
    The Lync 2010 client added additional functionality (ICE, TURN, STUN) to overcome previous limitations in which attempts to create a direct connection between peers failed due to firewall issues such as clients behind a NAT. Lync also changed the protocol for peer to peer file transfers from using FTP in OCS 2007 / OCS 2007 R2 to using RTP. With Forefront installed, Lync clients can be expected to use the earlier client behavior with respect to establishing connections as well as the use of FTP.

  21. Forefront for OCS can be installed on the Front End, Edge, and Director Roles on OCS 2007 and OCS 2007 R2 and on the Front End and Edge roles on Lync 2010. Installation on the Edge and Director Roles enables Forefront to offload some scanning from the Front End role to these other roles.

  22. There are a few important notes related to installing on the Edge role on Lync 2010:
    On the FSOCS setup panel Notification Account Setup, you must provide the fully qualified domain name of the SIP URI user account that will be used to login to the Front End computer. Additionally, you must select Transport type TLS, not TCP.


    If the two previous settings are not done correctly during installation, the Forefront logs will show errors when log in is attempted. This can be corrected after installation by making changes in the Forefront Administrative console under General Settings\IM Notification Agent.

    After installing on the Edge role, you MUST register the Forefront deployment with the Front End server in order for it to work.
    To register it, you must know the fully qualified domain name of the Edge server as in You must then run the following command from a Lync powershell prompt on the Front End server: New-CsServerApplication -Identity "Service:<FQDN of Edge Server>/ForeFrontRTCProxy" -Uri "" -Enabled $True -Critical $True
    After uninstalling from an Edge role, you MUST unregister the Forefront deployment by running the following command from a Lync powershell prompt on the Front End server: Remove-CsServerApplication -IdentityService:EdgeServer:<>/ForefrontRTCProxy


    After you run either of the previous commands to register or unregister, you can verify that the registration is present or removed by either looking for the Forefront Edge server registration in PowerShell using the command Get-CsServerApplication or from the Lync Server Control Panel.

Known Issues

  1. Installation and uninstallation on Lync 2010 Edge role requires that some specific steps be followed, including manual registration with the Front End server (see Important Notes #22, in the previous section).
  2. There are known File Transfer Scanning and Filtering Limitations when used with Lync 2010 (see Important Notes #20, in the previous section).
  3. Attachments compressed with PKWARE's DCL-Implode are not scanned.
  4. Attachments compressed with PKWARE's Deflate64(tm) are not scanned at this time.
  5. Installing Microsoft Forefront Security for Office Communications Server in a folder that contains non-ASCII characters is not supported. Choose a path that contains only characters from the following groups: letters (A-Z, a-z), numbers (0-9) or the symbols :\/!#$%'()+,-.;=@[]^_`{}~.
  6. If you have multiple filter lists with names that differ only by case, they will not work properly.
  7. If you run the Repair option from setup.exe after the product has been installed and all FSOCS services are running, the FSCController and the FSCMonitor services will be disabled and marked for deletion. If this occurs, uninstall FSOCS, restart the server, and then reinstall FSOCS. If services are stopped before running Repair, this problem does not occur.
  8. If a user (A) sends a file to another user (B), until the file transfer is complete, user A cannot send instant messages or other files to user B. User A can receive instant messages from user B, but not files. User A can, however, send or receive instant messages or files to or from any other user.


The documentation for this product is distributed in .chm format and is provided with this package. After installation, access help either from the Forefront Server Security Administrator interface or use the F1 key when running the Forefront Server Security Administrator.

The EICAR Antivirus Test File

Provided below is the code for the EICAR Standard Antivirus Test File.

To test your installation, copy the following line into its own text file and name it EICAR.COM.


When done, you will have a 69-byte or 70-byte file.

You can use this file to check into an OCS server for testing. FSOCS will report finding the EICAR-STANDARD-AV_TEST-FILE virus. If you have "cleaning" enabled, FSOCS will also report the attachment as being deleted. The infected attachment will be removed from the test message or post and be replaced with a text file. The new file will contain the following string when viewed: "Microsoft Forefront Security for Office Communications Server found a virus and deleted this file."

It is important to know that THIS IS NOT A VIRUS. However, users often have the need to test that installations function correctly. The antivirus industry, through the European Institute for Computer Antivirus Research, has adopted this standard to facilitate this need.

Please delete the file when installation testing is completed so that unsuspecting users are not unnecessarily alarmed.

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted in examples herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

Microsoft, Windows, Forefront, Internet Explorer, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.